Advanced DDoS Defense - fspgroup.ca · Prolexic Quarterly DDoS Attack Report Q2/2013 . Leaders in Information Security, ... Akamai State of the Internet Q1/2013 . Leaders in Information

© 2013 Sentry Metrics Inc.

Advanced DDoS Defense

Gord Taylor, Global Practice Lead – Threat Protection Services

October 25, 2013

© 2013 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential

What is DDoS?

Current State of DDoS Threats

Do I need DDoS Mitigation Solution?

DDoS Attack Types

DDoS Mitigations

Summary

Agenda


Gord Taylor ([email protected])

Sentry Metrics’ Global Practice Lead – Threat Protection Services

Advisor for SecTor Security Conference (www.sector.ca) since inception

7 Years ago

15 years in Information Security field

20 years working with Financial Institutions

Who am I?

http://www.sector.ca/


A Distributed Denial of Service (DDoS)

attack is a deliberate attempt to make a

computer system or network unavailable to

its intended users.

What is DDoS?


DDoS attacks are regularly exceeding 100Gbps rates

Few companies can handle a sustained DDoS without assistance and/or

dedicated tools

Most ISPs will black hole your address space (route to Null0)

DDoS attacks are on the rise

DDoS is not going away, and most signs show it getting worse




Prolexic Quarterly DDoS Attack Report Q2/2013


Arbor Main Page (www.arbornetworks.com) – Oct 5, 2013


http://www.arbornetworks.com/


Do I need a DDoS Solution?

Arbor Worldwide Infrastructure SecurityReport 2012


Anyone recognize this person?

He needed a DDoS Solution

Cesar Millan – The Dog Whisperer


Political / Hacktivism

Motivation

Distraction

Extortion

Fun


Motivation



Traditional security mitigation methods are reactive

Traditional security tools are in the datacentre, so mitigation can only occur

after traversing “last mile”

Stateless protocols are still prevalent

BotNets remain easy to create and hard to take down

NAT usage requires allowing multiple sessions from single host

Why do DDoS Attacks Continue to Succeed?


Protocol – Flaws in network protocol

– SYN Flood, Fragmented Packet Flood, Ping of Death, Smurf

Volumetric – Attack the network

– UDP Floods, ICMP floods, Spoofed packet floods

Application

– Slowloris, SSL Handshake

Self-Inflicted

DoS Attack Types


Least used

Typically attacks the network, not the server

Often fails because the attackers ISP prevents the outbound

packet

New technologies such as IPv6, DNSSec, etc may cause an

increase in these types of attacks

THC IPv6 Attack Toolkit

(updated Oct 12, 2013)

Protocol Attacks


Most prevalent attack type

Most often used with stateless protocol (UDP)

Source address can be spoofed

DNS Reflection Attack is most frequent

Favorite attack of BotNet owners

Volumetric Attacks


End-User Bandwidth is Increasing

Akamai State of the Internet Q1/2013


Key Findings: Attack sized increasing rapidly

Arbor Networks Q3/2013 findings from Atlas (Oct 16, 2013)

For 2013 an average DDoS attack now stands at 2.64Gb/sec, up 78% from

2012

54% of attacks so far this year are over 1Gb/sec, up from 33% in 2012

37% of attacks so far this year are in the 2 – 10 Gb/sec range, up from

15% last year

44% growth in proportion of attacks over 10Gb/sec, to 4% of all attacks

More than 350% growth in the number of attacks monitored at over

20Gb/sec so far this year, as compared to the whole of 2012

87% of all attacks monitored so far this year last less than one hour

Largest monitored and verified attack size increases significantly to

191Gb/sec


Mobile – The New DDoS Attack Platform

Akamai State of the Internet Q1/2013


Typically TCP-based

Typically require fewer clients than Volumetric attacks

Target is typically to cause servers to consume excessive

resources

May attack business/application logic of web applications

Application Attacks


What is Being Attacked



How it is Being Attacked



How it is Being Attacked (2)

Prolexic Quarterly DDoS Attack Report Q2/2013


On-Demand

– Vendor-based mitigation

– Route attacked address space through mitigation centre

– ISP model

– Expensive to sustain

Always-on

– On-Site appliances

– Cloud-based CDN / WAF solution

– Requires web site operators to understand inner workings of applications

Defense Types


Protocol attacks take advantage of malformed packets, or abusing design

features of some protocols

Following vendor best practices and hardening mitigate many of these

attacks

Traditional Firewall, IPS, and AV Systems will mitigate many as well

New class of DDoS Mitigation devices such as those from Arbor, Fortinet,

Radware, Cisco, A10, and others continue to evolve

These devices are more typically used to help mitigate Volumetric Attacks

Defending Against Protocol Attacks


Favorite attack vector of Anonymous, LulzSec

Also used by Syrian Electronic Army and Al-Qassam Cyber Fighters

Typically makes use of botnets to overwhelm network bandwidth, or at least

overwhelm network gear at the attack target

DDoS Mitigation appliances can sit between the Internet and your Firewall to

“scrub” or rate limit traffic

In many cases, this is insufficient since your Internet pipe gets overwhelmed,

so legitimate traffic never reaches your network

Cloud-base scrubbing to the rescue

Defending Against Volumetric Attacks


Packet is forwarded

through GRE Tunnel

Defending Against Volumetric Attacks (2)

Origin Server

Requests in this address

range are routed to

Mitigation Centre

Advertise /24 to route

through Mitigation Centre

Mitigation Centre

scrubs anomalous data

GRE Tunnel Determine that an application

in the /24 network is

under attack

Many upstream ISPs now offer a

service where they “scrub” and rate

limit traffic inline, with no need for

GRE tunnel

Persistent GRE tunnel

established with Mitigation Centre


Initial setup can take some time to get right

Profiling “normal” traffic

Can mitigate any protocol attacks

Asymmetric routing ensures no added latency when sending data back to legitimate

users

Typically not “always on” since ISPs and 3rd-Parties don’t want to invest too heavily

in DDoS Mitigation equipment and Bandwidth

Downtime when an attack starts

Provisioning SSL certificates

Doesn’t protect against application logic attacks

DDoS Mitigation Services – Pros and Cons


Innumerable attacks:

– HTTP Protocol, URL Encoding, Web Server Flaws, 0-Day vulnerabilities

– Resource Consumption: Large GETs, Slow Post, SSL Handshake, Slowloris, Search Forms

– SQL Injection, XSS, XSRF

– Information Leakage (Error Messages, SQL Statements, IP Addresses)

Attackers want to use as few hosts as possible to attack from since most

require TCP connection

DDoS Mitigation services have generic prevention

Web Application Firewalls mitigate Application or Business Logic attacks

Application Attacks


WAFs are rule-based engines similar to IPS systems (RegEx) using Deep

Packet Inspection (DPI) engines

Come with generic detection typically based on modSecurity

Custom rules can be built to match application logic

Plan for regular tuning, as apps change and new attack patterns emerge

Developers may need additional testing to accommodate WAF

Always enabled security protection (more than just DDoS)

Cloud-based and On-Premises solutions available

Web Application Firewalls


Tied to Content Delivery Networks (CDN)

CDNs work like a reverse-proxy, caching objects, offloading 50-80% of traffic

Cloud-based, distributed nature of CDN means less load on origin servers

during Volumetric attacks

Must provide SSL keys to CDN

Cloud-based WAFs


CDN server performs same

process, getting data from Origin

server if needed, and caching if

appropriate.

CDN server sends cached data

back to client. If the server

doesn’t have all data cached or

there is dynamic data, it queries

one of the pre-defined CDN

servers near origin.

User resolves web property to

nearest CDN address

Cloud-based WAFs Example User connects to CDN server

to retrieve web content

(CDN IP)

origin-www.example.com

www.example.com


Dynamic content must still return to origin servers, so attack vector remains

Can handle much of the loads due to CDN integration

Protects against HTTP(S) attacks only (not DNS, FTP, SMTP, etc.)

Requires providing SSL cert to vendor

Attackers can still target origin directly, unless ACLs are put in place

“Spaghetti” calls between apps or out to Internet

App developers need to understand caching rules and web logic

Help mitigate self-inflicted DDoS attacks - successful marketing campaign

Cloud-based WAFs – Pros & Cons


Not tied to CDN, so no data offloading

Sits behind the firewall inside your network

Doesn’t protect against Volumetric attacks

SSL Keys are always in your control

WAF can be used for internal applications (open networks)

On-Prem WAFs


Still many cloud-based solutions

– Outsourced DNS, SMTP, SIP / Chat (?)

Typical pros/cons are feature sets

– Intelligent DNS Load Balancing

– Rejecting SMTP / SIP message by destination

Increase in DNS Firewalls

Non-Web Firewall Solutions


DDoS Mitigation is easier in the cloud before touching your Internet link

Volumetric attacks against non-HTTP(S) are mitigated by DDoS Network

Scrubbers

Application layer attacks are best mitigated by WAFs (or other firewalls), and

can also help harden applications (especially older ones) against attack

Cloud based WAFs are often tied to CDNs, which can add business value

As with most cloud technologies, they’re still evolving – don’t expect a static

environment.

Summary


Have an attack plan - What is most important to you?

Ensure you have Professional Services engaged

Think about splitting Web Services onto separate

link from other protocols if your business is eCommerce based

If cloud, ask about vuln scanning or pen testing while using services

Make sure your contract allows for protection of apps hosted by 3rd-party

provider

Ask critical service providers about their level of DDoS Protection

Summary - Recommendations



Questions?

© 2013 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential 38

the right solution at the right time.

© 2013 Sentry Metrics Inc.

Documents

Advanced DDoS Defense - fspgroup.ca · Prolexic Quarterly DDoS Attack Report Q2/2013 . Leaders in Information Security, ... Akamai State of the Internet Q1/2013 . Leaders in Information